File name:	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070
Full analysis:	https://app.any.run/tasks/7221a559-4f02-47b5-bd25-eacf0638e313
Verdict:	Malicious activity
Threats:	Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	January 11, 2025, 01:29:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	sainbox rat gh0st vmprotect rdp upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	588A3D3EC2A1E9967EA4C8A0BD492558
SHA1:	EBC484B0BE32A74A13D5FC00D2D604FB6495A58C
SHA256:	F7E1327208F06E5CDD6BBF11568A3AFAF6C8902F1B7F24C3DD304737F1759070
SSDEEP:	49152:ZaKoXA2V5VqZMBys8KZB6j/uDGspoHc+bi3vt2NCjE2NWgwvnfKKoTCZ+gKyEYV0:ZaKr2VHqZMR8KZB6j/vHc+bilgWEqWgV

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:03:29 14:48:39+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	3530752
InitializedDataSize:	835584
UninitializedDataSize:	-
EntryPoint:	0x2dfb0a
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	Windows 配置程序
ProductName:	Windows 核心进程
ProductVersion:	1.0.0.0
LegalCopyright:	作者版权所有请尊重并使用正版
Comments:	本程序使用易语言编写(http://www.eyuyan.com)

PID	CMD	Path	Indicators	Parent process
396	C:\Users\admin\AppData\Local\Temp\\AK47.exe	C:\Users\admin\AppData\Local\Temp\AK47.exe		f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe
User: admin Company: FEIM Studios Integrity Level: HIGH Description: A Free Enterprise Instant Messenger Exit code: 0 Version: 3, 5, 0, 1
440	"C:\Users\admin\Desktop\f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe"	C:\Users\admin\Desktop\f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 3221226540
512	"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs"	C:\Windows\SysWOW64\wscript.exe	—	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384
644	"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs"	C:\Windows\SysWOW64\wscript.exe	—	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384
3208	"C:\Users\admin\AppData\Local\Temp\AK47.exe"	C:\Users\admin\AppData\Local\Temp\AK47.exe	—	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe
User: admin Company: FEIM Studios Integrity Level: HIGH Description: A Free Enterprise Instant Messenger Exit code: 0 Version: 3, 5, 0, 1
3608	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
3988	"C:\Users\admin\Desktop\f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe"	C:\Users\admin\Desktop\f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe		explorer.exe
User: admin Integrity Level: HIGH
4188	ping -n 2 127.0.0.1	C:\Windows\SysWOW64\PING.EXE	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
4512	C:\Users\admin\AppData\Local\Temp\\AK74.exe	C:\Users\admin\AppData\Local\Temp\AK74.exe		f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe
User: admin Integrity Level: HIGH Exit code: 0
4592	C:\WINDOWS\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\admin\AppData\Local\Temp\AK74.exe > nul	C:\Windows\SysWOW64\cmd.exe	—	AK74.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800)

PID	Process	Filename		Type
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\svchcst.exe		executable
		MD5:588A3D3EC2A1E9967EA4C8A0BD492558	SHA256:F7E1327208F06E5CDD6BBF11568A3AFAF6C8902F1B7F24C3DD304737F1759070
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Local\Temp\AK74.exe		executable
		MD5:B0998AA7D5071D33DAA5B60B9C3C9735	SHA256:3080B6BB456564899B0D99D4131BD6A0B284D31F7D80EF773E4872D94048D49A
4512	AK74.exe	C:\Windows\SysWOW64\Ghiya.exe		executable
		MD5:B0998AA7D5071D33DAA5B60B9C3C9735	SHA256:3080B6BB456564899B0D99D4131BD6A0B284D31F7D80EF773E4872D94048D49A
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe		executable
		MD5:CCDEADDC873F03D600269ADC551CF23A	SHA256:9806B54CAA07D7B114C24066265D22DD880BBAEBEE22EA20DD11727DB9D57423
396	AK47.exe	C:\Windows\SysWOW64\1272171.txt		executable
		MD5:8EAAE0C0A7945BB10D1EFB12D74C2324	SHA256:942A7DE2DD0EAE7DC7DFB77A90C433518754B11A17BF08DB1855DD1ACC37ACD1
396	AK47.exe	C:\Windows\SysWOW64\ini.ini		text
		MD5:01C3085DD42DE4AECF03F81708411872	SHA256:8A2548B891036C71F80A3F765914092EE42340421E2B04374FC9F1247FE1F4C2
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Local\Temp\AK47.exe		executable
		MD5:423EB994ED553294F8A6813619B8DA87	SHA256:050B4F2D5AE8EAECD414318DC8E222A56F169626DA6CA8FEB7EDD78E8B1F0218
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk		binary
		MD5:D513248FB3F8CB7007AB16B6EA19571E	SHA256:FAD56F60D81B4FA49870BF50EFAA2C380BFC3F6A3A5B7ADD4EF0FC43A905AFDA
3988	f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070.exe	C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs		text
		MD5:17FE7BF9D8BBAD6AD6F80B1423CDD674	SHA256:DF0CDC607EFF62AFDF6ABE55DA5A2BB5DB531FD7B3C730793AE892F7921773C0
5640	Ghiya.exe	C:\Windows\System32\drivers\QAssist.sys		executable
		MD5:4E34C068E764AD0FF0CB58BC4F143197	SHA256:6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4308	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2092	RUXIMICS.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4308	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2092	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4308	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2092	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.139:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4308	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2092	RUXIMICS.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 51.124.78.146	whitelisted
www.bing.com	104.126.37.139 104.126.37.131	whitelisted
google.com	142.250.186.110	whitelisted
cf1549064127.f3322.net	—	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	20.189.173.10	whitelisted

General Info

f7e1327208f06e5cdd6bbf11568a3afaf6c8902f1b7f24c3dd304737f1759070

588A3D3EC2A1E9967EA4C8A0BD492558

EBC484B0BE32A74A13D5FC00D2D604FB6495A58C

F7E1327208F06E5CDD6BBF11568A3AFAF6C8902F1B7F24C3DD304737F1759070

49152:ZaKoXA2V5VqZMBys8KZB6j/uDGspoHc+bi3vt2NCjE2NWgwvnfKKoTCZ+gKyEYV0:ZaKr2VHqZMR8KZB6j/vHc+bilgWEqWgV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Starts CMD.EXE for self-deleting

GH0ST mutex has been found

Creates or modifies Windows services

SAINBOX has been detected

Changes the autorun value in the registry

Create files in the Startup directory

Uses sleep, probably for evasion detection (SCRIPT)

SUSPICIOUS

Mutex name with non-standard characters

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Application launched itself

Executes as Windows Service

Hides command output

Creates files in the driver directory

Executes WMI query (SCRIPT)

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

Connects to unusual port

Drops a system driver (possible attempt to evade defenses)

Creates or modifies Windows services

Runs PING.EXE to delay simulation

The process executes VB scripts

There is functionality for taking screenshot (YARA)

There is functionality for enable RDP (YARA)

INFO

The process uses the downloaded file

Reads the computer name

The sample compiled with chinese language support

Process checks computer location settings

Create files in a temporary directory

Checks supported languages

Creates files or folders in the user directory

UPX packer has been detected

VMProtect protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings